Page 444 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 444
or the verification path. By forcing a reverification of all stages of
trust, you can reestablish all trust links and prove that the assumed
trust remains assured.
Certificate Generation and Destruction
The technical concepts behind the public key infrastructure are
relatively simple. In the following sections, we’ll cover the processes
used by certificate authorities to create, validate, and revoke client
certificates.
Enrollment
When you want to obtain a digital certificate, you must first prove your
identity to the CA in some manner; this process is called enrollment.
As mentioned in the previous section, this sometimes involves
physically appearing before an agent of the certification authority with
the appropriate identification documents. Some certificate authorities
provide other means of verification, including the use of credit report
data and identity verification by trusted community leaders.
Once you’ve satisfied the certificate authority regarding your identity,
you provide them with your public key. The CA next creates an X.509
digital certificate containing your identifying information and a copy
of your public key. The CA then digitally signs the certificate using the
CA’s private key and provides you with a copy of your signed digital
certificate. You may then safely distribute this certificate to anyone
with whom you want to communicate securely.
Verification
When you receive a digital certificate from someone with whom you
want to communicate, you verify the certificate by checking the CA’s
digital signature using the CA’s public key. Next, you must check and
ensure that the certificate was not revoked using a certificate
revocation list (CRL) or the Online Certificate Status Protocol (OCSP).
At this point, you may assume that the public key listed in the
certificate is authentic, provided that it satisfies the following
requirements:
